Has the national cyberspace security initiative lost its momentum?

During the first half of 2002, U.S. cybersecurity czar, Richard Clarke, boldly carried the banner for regulating cybersecurity. However, in the recent draft of the initiative, much of this campaign's strength appears to have been sapped.

In September 2002, the White House released a draft of an initiative aimed at securing cyberspace. The document resulted from nearly a year of work aimed at consolidating business and government efforts to protect the Internet infrastructure, which has become so vital for the operations of both entities.

Based on early reports, this plan has the potential to greatly affect security administration in companies large and small, and therefore its progress, or lack thereof, will have important implications for IT budgets and long-range plans. Let's take a look at some of the directives included in this initiative and how they will affect administrators and the IT world.

Key issuesHere are four of the most interesting and important points concerning the initiative:

Government-mandated security procedures could result in a lot of new rules that IT departments will need to follow and enforce. This has raised complaints about increased government control that would require new spending on IT security by virtually every business in America. However, early drafts of this initiative have mostly called for mandatory security requirements that many companies and government agencies already have in place. These standard security procedures (like antivirus control and ensuring strong passwords) are minimal standards rather than some exotic new procedures. They're steps that administrators should already be taking, but repeated exploits of well-known vulnerabilities show that many admins are not given the time or budgets they need to follow security best practices. In this regard, government mandates could actually make life easier for some admins.

A solid, well-reasoned, and widely applied cyberspace security strategy could reduce the worries of many administrators because they would have greater confidence that other IT departments were following good practices and that hackers would have less of a chance to compromise those systems and use them to launch an attack.

Some early rhetoric by White House cybersecurity czar, Richard Clarke, (who is in charge of this report) made it appear that a great deal of pressure would be placed on major software and hardware producers to ensure that their products were better tested and had far fewer vulnerabilities when released for general use.

An important feature of the early drafts was a call for massive government spending to improve and secure vital Internet protocols, perhaps even taking the responsibility for them out of the hands of the mostly volunteer organizations that current manage them.

“By selling broadband connectivity to home users without making security a priority, telecommunications companies, cable providers, and ISPs have not only opened the nation's homes to attack, but also created a host of computers with fast connections that have hardly any security.”

"Millions of houses are getting connected, which means that more and more are getting vulnerable."

Clarke put wireless networks on his list of top five security offenders. "Companies throughout the country have networks that are wide open because of wireless LANs," he said. He added that the Department of Defense has already ordered the shutdown of all wireless LANs in use within the department and in the various military forces.

Clark blamed the estimated 3 billion dollar cost of the Nimda worm on poor management, saying that Nimda was able to spread because patches weren't applied, not because the vulnerabilities hadn't been identified.

He also attributed many problems to the companies that produce hardware and software for the Internet. "The software industry has an obligation to do a better job producing software that works. It is no longer acceptable that we can buy software and run software on sensitive systems that is filled with glitches."

After Clarke's delivery of such strong rhetoric before a gathering of top hackers and security experts, the final report is more than a bit disappointing. For example, it contains only a mild recommendation that wireless security get some needed attention.

Somewhere between the July speech and the September release of the draft proposal, this plan lost hundreds of specific recommendations and thousands of pages, becoming little more than an executive summary that security experts have been asked to comment on before the final report is released.

According to News.com, the August draft of the report was much longer and contained many more detailed recommendations. Another News.com report, dated Sept. 19, 2002, indicated that there’s virtually nothing new in the final White House draft report.

“Instead of making substantive changes in the executive branch's stance on electronic security,” the News.com story said, the report "echoes the hands-off approach established by the Clinton administration in a 1997 report." That paper, "A Framework for Global Electronic Commerce," offered a similar perspective. Its first principle was: “The private sector should lead.”

The period for comments on the new draft report was scheduled to end on Nov. 18, 2002, but there is no new information posted on the applicable Web page. In fact, a search of White House public documents in mid-December indicated that there was no mention of the word “cyberspace” in any White House document dated after the Sept. 18, 2002, release of the draft proposal. The real “strategy” may be to let this initiative die a quiet death.

The draft contains no echo of Clarke’s earlier call for the federal government to spend millions of dollars to overhaul critical Internet protocols or any recommendations for mandatory enforcement of any new or existing security policies.

AnalysisAfter wading through the 64-page draft, I was mostly upset that I had taken even five minutes of my own time preparing to participate in one of the town hall meetings regarding this plan. What’s the point of commenting on a report titled “The National Strategy to Secure Cyberspace” when it states only that the private sector controls the backbone of the Internet and should do a better job of keeping it safe?

If you read the draft report carefully, you’ll note that it doesn’t call for a single new law, regulation, or mandatory procedure. Too much government regulation can be a problem, and in many ways, I like the emphasis on pressuring vendors to improve products and services using government and corporate purchasing procedures as a lever. But while under terrorist threats, do we have the time it will take for “the power of the purse” to bring needed changes to the lax product and service security we encounter at every turn?

There are already laws governing interstate commerce, ones we so readily accept that we don’t even realize how intrusive they actually are—or how vital. I’m referring to such things as traffic laws, which require that everyone drive on the right side of the road and pass a test before being allowed to drive. I see stricter regulation of both ISPs and the security of some Internet protocols as being analogous to such laws.

After the draft report was released, News.com quoted James Lewis, director of the Center for Strategic and International Studies' (CSIS) Council on Technology and Public Policy as saying, "Cybersecurity is too tough a problem for a solely voluntary approach.… Companies will only change their behavior when there are both market forces and legislation that cover security failures. Until the U.S. has more than just voluntary solutions, we'll continue to see slow progress in improving cybersecurity."